Wireless security: four popular myths and 12 tips

A wireless network is of course less secure than a wired network. Yet you can elevate the security of your wireless network to a good level.

There are a couple of popular myths about securing a wireless network. At first, I'll disprove (convincingly, I hope) the four most common myths. Then I'll name 12 security measures that are truly effective.

THIS IS DEFINITELY WRONG! THE FOUR MYTHS:

Myth 1: not broadcasting the SSID (hiding the network name)

Hiding the SSID is bad, because.... it's dangerous not to broadcast the SSID! This sounds absurd, but I'll try to explain it.

To begin with, it's technically impossible to stop the SSID broadcast entirely. Because there are at least four(!) other ways in which a router still discloses a "hidden" SSID to the world.

Together with many data packages that the router sends, it still sends the SSID. Not encrypted. Easily receivable by everyone who's in the neighbourhood. The SSID is therefore still being broadcast, even when you've "hidden" the SSID in the configuration of the router!

With common network scanners, like Kismet, it takes only several seconds before a hacker picks up a "hidden" SSID.

Hiding the SSID even creates an extra risk(!): when you've disabled broadcasting of the SSID in the network router, the connected computers have to disclose their presence continually. So they spread the SSID everywhere they go. Your laptops will therefore, everywhere you turn them on, start shouting (at short intervals): "hey, is there a network around named XYZ?".

That makes your laptops an easy target. An attacker can set up an access point with the SSID of your network, so that your laptop will connect with it automatically, without asking for permission. The attacker then can monitor all of your network traffic and maybe even access the hard disk of your laptop.

Myth 2: using a MAC address filter

A MAC address filter is useless, because an attacker can easily see which MAC addresses gain access to the router. Then he can simply falsify (spoof) his own MAC address in order to get access.

With a MAC address filter you only make things more difficult for yourself. For example when you want to access the internet with another (new?) computer. Or when you've a visitor whom you want to grant the possibility to use his own laptop, to access your internet connection.

Myth 3: disabling DHCP

Disabling DHCP is a pure waste of time. It'll stop an attacker for a minute at most.

DHCP automatically distributes IP addresses. Disabling this is useless. An attacker can almost immediately see the IP scheme of the network and grant himself a valid IP address.

Myth 4: using WEP encryption

WEP is a very weak protection, which an attacker can crack within a minute. It's better than no encryption at all, but that's about it...

THIS IS THE WAY TO DO IT! 12 TIPS:

For applying the tips below, you need to change certain settings in the configuration of your router. You can access the configuration of your router, by entering a certain "web address" in your web browser. With many routers it's "web page" 192.168.1.1, but this may be different for your router: check the manual of your router.

Tip 1. Modify the settings only when connected with a network cable

When you change the configuration settings of your router, always do that when connected with a (temporary?) wire (ethernet cable). A wireless connection is too unreliable for this.

In the configuration settings of some routers, you can even restrict access to the configuration of the router, to wired connections. Thereby excluding wireless access to the configuration. Unfortunately, not every router offers this option. But when your router does, apply this restriction.

Tip 2. Update the firmware of the router

Check on the website of the router manufacturer, whether there's a firmware update available for your router. If so, apply it. Firmware updates solve security issues and fix bugs.

Tip 3. Broadcast the SSID (don't hide it)

The SSID (network name) should always be broadcast and therefore not be hidden. No exceptions. Explanation: see Myth 1 at the beginning of this page.

Tip 4. Change the default SSID

Change the default SSID (network name) to one of your own invention, from which it's not possible to deduce the brand and/or type of the router. Note: the name shouldn't contain spaces or special characters! Therefore not: John's network, but JohnsNetwork or Johns-network.

Tip 5. Choose WPA2 or WPA

The signal encryption should at least be WPA Personal. WPA2 Personal is even better, when both your router and your wireless card allow for it. Every reasonably modern router offers the possibility to set the encryption to WPA. Is your router so old that it can't handle WPA? Then definitely buy a new one. As soon as possible.

Tip 6. AES only

AES is the most modern and secure form of WPA encryption. So set it at "AES only". And therefore not at the older and less secure TKIP. Also not at "TKIP + AES", because in that case the encryption is still backwards compatible with TKIP.

For clarification: "AES only" is best, but TKIP is not bad. WPA with TKIP is still reasonably safe.

Tip 7. Create your own WPA key

Create your own WPA key and discard the WPA key that the manufacturer of your router may have installed on it. Choose a key with at least 10 signs. Four random words, connected by dashes, make an excellent key. Note: preferably don't use spaces!

Tip 8. Enable the firewall in your router

Turn on the firewall of the router. Most routers offer the possibility in their configuration, to enable a built-in firewall. Use that possibility.

Note the possible effect this may have on certain online games: sometimes you have to open a certain port in the firewall for those.

Tip 9. Change the administrator password of the router configuration

Change the administrator password of the configuration screen of the router. Normally, when you want to access the router configuration, you have to type an administrator password in order to gain access to the configuration (usually "admin" or something like that). Change this in a password of your own making. Don't use spaces!

Tip 10. Disable Wi-Fi Protected Setup (WPS) in your router

Most modern routers have the feature Wi-Fi Protected Setup (WPS). This feature is usually enabled by default. It's intended to make it easier for people with little knowledge of wireless security, to connect devices wirelessly without having to type long passphrases.

However, as could of course be expected from a feature like this (sigh...), WPS poses a massive security risk. With a simple brute-force attack, a remote attacker can recover the WPS PIN code in less than an hour, thus exposing the WPA/WPA2 pre-shared key of the wireless network.

The only solution is: disable WPS in your router straightaway. Some routers don't have the option to disable WPS; in that case, buy a new router that does. Buy it today.

Has WPS been enabled on your router? Then change the WPA/WPA2 key right after disabling WPS. Your network may have been hacked already...

Tip 11. Disable Universal Plug and Play (UPnP) in your router

Universal Plug and Play (UPnP) is a risky feature that exposes your router to attacks. It's therefore best to disable UPnP in the router.

Tip 12. Be careful with the use of unprotected networks of others

Be extra careful with the use of unprotected or shared networks of others (hotels, campings, airports). Everyone within reach of the unprotected wireless access point, is able to 1. monitor all of your wireless traffic and 2. attack your laptop directly.

The solution to both problems is, to assume that there already is an attacker that has complete access to your network traffic, and network access to your laptop. Send only encrypted information: always use https for viewing web pages (whenever possible). Keep your Linux updated. Enable the firewall (in the terminal: sudo ufw enable) and check SSL certificates of websites.

Want more tips about wireless internet?

Do you want more tips and tweaks about wireless internet? You might find these useful: